Home » What is SAML and how it works?
Applicable For Endpoint Central MSP 
 
 

Note: All the SAML configuration and authentication steps discussed for Endpoint Central Cloud also applies to Patch Manager Plus Cloud and Remote Access Plus Cloud.

What is SAML Authentication?

Security Assertion Markup Language (SAML) is the de facto open standard used for exchanging authentication and authorization details between the Service Provider and the Identity Provider. The exchange of details is done through digitally signed XML documents containing user data. Endpoint Central offers support for SAML 2.0 authentication. By enabling this feature, users can login to Endpoint Central Cloud via a Single Sign-On (SSO) service, which supports SAML authentication.

Terms to know:

Service Provider - The application providing a specific service which authenticates and authorizes users by security assertions requested by SSO. For example: CRM, Endpoint Central, etc..

Identity Provider - The entity which maintains and manages the user's credentials. For example: Okta, OneLogin, etc..

Single Sign-On service - A service provided by Identity Provider, that has a centralized login system in which the user enters the credentials once, after which, the authentication and authorization details are passed to different service providers to grant access to the user.

The main advantage of SSO is that it has centralized authentication, thereby eliminating the need for users to remember multiple passwords to access different applications.

How SAML authentication works?

When a user tries to login to access the Service Provider, the user will be redirected to SSO login page. Upon entering the credentials, the SSO will pass the information to the Service Provider. Further, the Service Provider will decide based on the authentication and authorization details provided by the SSO, whether or not to grant access to the user.

Prerequisites:

  • Since, the IdP redirection happens via HTTPS port, the HTTPS port must be kept open. The ACS URL is generated using HTTPS only.
  • Identity Provider should support HTTP POST binding.
  • Certificates from the Identity Provider should not have been tampered with, encrypted or expired and should be encoded in base 64 format.

Data provided by Endpoint Central Cloud that has to be entered in IdP

After logging into Endpoint Central Cloud, go to the Admin tab and select SAML Authentication. Here, you can find the details that are provided by Endpoint Central Cloud to be entered in IdP's side.

  • Entity ID
    Entity ID is a Globally-Unique Identifier used to represent your Endpoint Central Cloud instance.zoho.com is the entity ID to be configured in IdP.
  • Assertion Consumer Service URL (ACS URL)
    The ACS URL or Reply URL is an endpoint pointing to your Endpoint Central Cloud instance that tells the IdP where to send the SAML response.

Data required by Endpoint Central from IdP

After logging into the product console, go to the Admin tab, and select SAML Authentication. At the bottom, you have to enter the IdP's details.

  • Login URL
    The Login URL is an endpoint pointing to your IdP that tells Endpoint Central Cloud where to send the SAML request.
  • Logout URL
    The Logout URL is the IdP URL where the sign out request will be sent when the user signs out from Endpoint Central Cloud.
  • Certificate
    A certificate from the IdP, used by Endpoint Central Cloud to verify future SAML requests from the IdP.
    • Note: We accept only the following certificate formats: based-64 coded .cer, .crt, .cert, or .pem file. Make sure to upload the certificate in one of these formats.

Click to watch the videos on how to configure SAML authentication settings between Endpoint Central Cloud and

  • OneLogin

 

 

  • Okta

 

 

  • Azure

 

 

  • Auth0

Enter the following JSON code in the settings window for Auth0 configuration as shown:

    {
    "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailaddress",
    "nameIdentifierProbes": [
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
    ]
    }

 
 
Note:
  • To successfully log in using SAML, the user must be present both in the IdP and Endpoint Central Cloud.
  • SAML authentication may not work in browsers that are not supported by the Identity Provider.
  • Currently SAML Logout is not supported.
  • All accounts should have a unique email ID associated with them in Endpoint Central Cloud.
  • The Email ID should be selected in the Identity Provider for authenticating users.